Protocol converter and automation system

ABSTRACT

In an automation system, a protocol converter is provided between a first network and a second network for converting safety-related messages between the first and second networks that use different network protocols for message exchange. In the protocol converter, a single-channel filter connected to a single-channel interface determines messages having a first safety communication protocol from messages received from the interface over the first network and messages having a second safety communication protocol received over the second network. An at least dual-channel safety module connected to the single-channel filter then converts the messages with the first safety communication protocol determined by the single-channel filter into messages with the second safety communication protocol, or converts the messages with the second safety communication protocol determined by the single-channel filter into messages with the first safety communication protocol.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present patent application is a continuation of International PatentApplication PCT/EP2021/063320, “Protocol Converter and AutomationSystem” filed May 19, 2021, which claims the priority of German PatentApplication DE 10 2020 113 572.6, “Protokollumsetzer andAutomatisierungs system,” filed May 19, 2020, the disclosure content ofeach of which is hereby incorporated by reference herein, in theentirety and for all purposes.

FIELD

The present invention relates to a protocol converter and an automationsystem comprising such a protocol converter.

BACKGROUND

Modern concepts of industrial automation, i.e. controlling andmonitoring technical processes by software, are based on the idea of acentral control with a simultaneously distributed sensor/actuator level.A bus system, referred to in the following as a field-bus system,connects the field devices such as sensors and actuators to anautomation device.

So that the subscribers on the field bus may send their messages overthe same line, a standardized protocol is used for message transmissionbetween the subscribers, referred to in the following as field-busprotocol, which specifies who (identifier) outputs what (measured value,command) on the field bus and when (initiative).

Nowadays, field-bus systems are an integral part of every productionsystem. Depending on the manufacturer, different field-bus technologiesare favored, which differ in terms of the connection structure, busaccess and the standardized field-bus protocol. In many productionsystems, therefore, the requirement arises to combine the variousfield-bus technologies used into a common field-bus solution. Such anintegration is realized by protocol converters, also referred to asgateways in the following.

Gateways may interconnect different, even heterogeneous networks andallow for routing across network boundaries. In this context, thegateway represents a common subscriber that belongs to the networks tobe connected and handles the cross-network data traffic. Gatewaysperform protocol conversion when passing from one network to another andconvert incoming data. Protocol data not supported by the target networkmay be omitted in the gateway, and additional protocol data required foronward transport may be added by the gateway.

An essential requirement for an automation system is error safety. Whencontrolling and monitoring technical processes, it must be ensured thatif the automation system operates incorrectly, this does not result inany danger to people or environment.

For transmitting safety-relevant messages between safety-relevantcommunication subscribers in a field-bus system, a safety-certifiedfield-bus protocol, referred to in the following as safety-field-busprotocol, is used. Such a safety-field-bus protocol, generally alsoreferred to as a safety communication protocol if there is no referenceto a field bus, allows for safe message transmission on the field bus,even if there are any number of unsafe field-bus devices in thetransmission path between the two safety-relevant communicationsubscribers and the transmission path therefore forms a so-called blackchannel.

The EN ISO 13849-1 and IEC/EN 62061 standards specify the safety-relatedperformance of automation systems required for risk reduction. In orderto achieve the desired safety-related performance, the safety-certifiedfield and automation devices that form the safety-relevant subscribersin the network and for which a safety field-bus protocol is usedgenerally have at least dual-channel hardware. Alternatively,single-channel hardware may also be used if the software is embodiedwith at least two channels.

In order to allow for communication between safety-relevant subscribersin networks that support different safety field-bus protocols, safetygateways with dual-channel hardware or software are then implemented inaddition to conventional gateways.

However, dual-channel hardware brings about increased hardware costs. Adual-channel software, on the other hand, requires a powerfulmicroprocessor as well as sufficient memory.

SUMMARY

The invention provides an improved protocol converter for cross-networkdata traffic of safety-relevant messages and a corresponding automationsystem.

According to a first aspect, a protocol converter convertssafety-relevant messages between a first network and a second network,wherein the first and second networks use different network protocolsfor message exchange, wherein the first network comprises at least onefirst subscriber having a first safety communication layer whichprocesses a first safety communication protocol, and wherein the secondnetwork comprises at least one second subscriber having a second safetycommunication layer which processes a second safety communicationprotocol. The protocol converter comprises a single-channel interfacewhich allowing for message exchange with the first network and/or withthe second network.

The protocol converter further comprises a single-channel filterconnected to the interface for determining messages with the firstsafety communication protocol and messages with the second safetycommunication protocol from messages received by the interface device.The protocol converter further comprises an at least dual-channel safetymodule connected to the single-channel filter for converting messageswith the first safety communication protocol detected by the filter intomessages with the second safety communication protocol and forconverting messages with the second safety communication protocoldetected by the single-channel filter into messages with the firstsafety communication protocol, respectively.

According to a second aspect, an automation system comprises a firstnetwork and a second network using different network protocols, whereinthe first network comprises at least one first subscriber having a firstsafety communication layer processing a first safety communicationprotocol, wherein the second network comprises at least one secondsubscriber having a second safety communication layer processing asecond safety communication protocol, and wherein between the firstnetwork and the second network a protocol converter for convertingsafety-relevant messages between a first network and a second network isprovided. The protocol converter comprises a single-channel interfacewhich allowing for message exchange with the first network and/or withthe second network.

The protocol converter further comprises a single-channel filterconnected to the interface for determining messages with the firstsafety communication protocol and messages with the second safetycommunication protocol from messages received by the interface device.The protocol converter further comprises an at least dual-channel safetymodule connected to the filter for converting messages with the firstsafety communication protocol detected by the single-channel filter intomessages with the second safety communication protocol and forconverting messages with the second safety communication protocoldetected by the single-channel filter into messages with the firstsafety communication protocol, respectively.

According to a second aspect, a protocol converter for convertingsafety-related messages between a first network and a second networkcomprises a single-channel interface that allows for message exchangewith a network. The protocol converter further comprises asingle-channel filter connected to the interface determines messageshaving a first safety communication protocol and messages having asecond safety communication protocol from messages received by theinterface device. The protocol converter further comprises adual-channel safety module connected to the single-channel filter andconverting the messages with the first safety communication protocoldetermined by the single-channel filter into messages with a secondsafety communication protocol, and converting the messages with thesecond safety communication protocol determined by the single-channelfilter into messages with the first safety communication protocol.

EXAMPLES

In an automation system having a first network and a second network, inwhich the first and second networks use different network protocols formessage exchange, and in which the first network comprises at least onefirst subscriber having a first safety communication layer thatprocesses a first safety communication protocol and in which the secondnetwork comprises at least one second subscriber having a second safetycommunication layer that processes a second safety communicationprotocol, a protocol converter is provided between the first and secondnetworks for converting safety-related messages between the first andthe second network.

The protocol converter comprises a single-channel interface that allowsfor message exchange with the first network and/or with the secondnetwork. A single-channel filter connected to the interface determinesmessages having the first safety communication protocol and messageshaving the second safety communication protocol from messages receivedby the interface device. An at least dual-channel safety moduleconnected to the single-channel filter then converts the messages withthe first safety communication protocol determined by the filter intomessages with the second safety communication protocol, or converts themessages with the second safety communication protocol determined by thesingle-channel filter into messages with the first safety communicationprotocol.

The protocol converter for cross-network data traffic of safety-relevantmessages in the automation system may essentially be implemented as asingle-channel system. Only the safety-relevant routines are embodiedwith at least two channels. This has the advantage that the hardware orsoftware costs for a second channel may largely be saved.

The single-channel interface comprises a single-channel first interfaceenabling message exchange with the first network comprising the at leastone first subscriber with the first safety communication layerprocessing the first safety communication protocol, and a single-channelsecond interface enabling message exchange with the second networkcomprising the at least one second subscriber with the second safetycommunication layer processing the second safety communication protocol.

Furthermore, the filter comprises a single-channel first filter fordetermining messages having the first safety communication protocol frommessages received by the first interface and a single-channel secondfilter for determining messages having the second safety communicationprotocol from messages received by the second interface. The at leastdual-channel safety module is connected to the first and second filtersto convert messages with the first safety communication protocoldetermined by the first filter into messages with the second safetycommunication protocol and to convert messages with the second safetycommunication protocol determined by the second filter into messageswith the first safety communication protocol, respectively.

This embodiment allows for integrated protocol conversion, in whichprotocol conversion of both non-safety-related messages andsafety-related messages may be implemented in a single protocolconverter.

The dual-channel safety module may have at least two parallel softwarefunction channels. A low-cost microcontroller requiring comparativelylittle memory because only a few safety-relevant software functions haveto be implemented on two channels may then be used in the protocolconverter.

A single-channel operating function module connected to the filter andthe safety module may be provided in the protocol converter tocyclically call up the filter and the safety module. This embodimentensures stable operation of the protocol converter.

BRIEF DESCRIPTION OF THE DRAWINGS

So that the manner in which the above recited features of the presentinvention can be understood in detail, a more particular description ofthe invention, briefly summarized above, may be had by reference toembodiments, some of which are illustrated in the appended drawings. Itis to be noted, however, that the appended drawings illustrate onlytypical embodiments of this invention and are therefore not to beconsidered limiting of its scope, for the invention may admit to otherequally effective embodiments.

FIG. 1 shows an automation system having a safety gateway between anEtherCAT network and a PROFINET network, wherein the EtherCAT networkcomprises a subscriber with a safety communication layer that processesan FSoE communication protocol and the PROFINET network comprises asubscriber having a safety communication layer which processes aPROFIsafe communication protocol.

FIG. 2 shows the schematic structure of the safety gateway in theautomation system of FIG. 1 .

FIG. 3 shows a flow chart of a transmission of a safety-relevant messagein the automation system of FIG. 1 from the FSoE safety subscriber inthe EtherCAT network to the PROFIsafe safety subscriber in the PROFINETnetwork.

FIG. 4 shows a flow chart of a transmission of a safety-relevant messagein the automation system of FIG. 1 from the PROFIsafe safety subscriberin the PROFINET network to the FSoE safety subscriber in the EtherCATnetwork.

FIG. 5 shows the schematic structure of a safety gateway having anEtherCAT interface and an I/O-Link interface.

FIG. 6 shows the schematic structure of a safety gateway having anEtherCAT interface and a general hardware interface.

DETAILED DESCRIPTION

The figures are merely schematic and not to scale. Furthermore, thereference numerals in the figures are chosen unchanged if they areelements or components of the same embodiment.

In industrial automation, networks are used to connect distributed fielddevices of a sensor/actuator level with a control level. The automationnetworks, also referred to as field-bus systems, usually have a serialbus to which the network subscribers are connected. Different field busconcepts are used by the manufacturers which differ with regard to theconnection structure, the bus access and the standardized field-busprotocol, also referred to as network protocol in the following if noreference to a field bus is indicated.

The network protocol defines how the data exchange between thesubscribers in the network is to be carried out. In doing so, thenetwork protocol determines the rules and formats for the communicationbehavior of the subscribers. The network protocol usually has a layeredarchitecture, wherein the individual protocol layers are defined in theOSI reference model.

The message structure defined by the network protocol contains allinformation important for exchanging data, such as sender and recipient,message type, message size and checksum for tracing an error-freetransmission. This information is prepended to the user data in themessage as a header or appended as a trailer.

The possible network protocols may differ at various points. Forexample, the network protocol may specify that communication may onlytake place in one direction or that communication is possible in bothdirections at the same time. Furthermore, the network protocol maydetermine that the communication is synchronized with a clock signal orthat it should be asynchronous. The network protocol may furtherdetermine the number of subscribers that are allowed to participate inthe communication. Also, the network protocol may determine that atransmission is to be made to only one recipient, a transmission is tobe made to multiple recipients, or a message transmission is to be madeto all subscribers.

Furthermore, network protocols may differ with regard to the position ofthe subscribers. If all subscribers have equal rights, symmetricalcommunication takes place; otherwise, asymmetrical communication takesplace. Network protocols also distinguish between synchronouscommunication, in which a response is waited for after a request, andasynchronous communication, in which no response is required. Thenetwork protocol may perform packet-oriented communication or beembodied to be connection-oriented.

The Ethernet protocol has established itself as the communicationstandard for short-range networks, especially for automation networks.Within the framework of the OSI layer model, the Ethernet protocoldefines the two lowest protocol layers, the physical layer and thesafety layer. For data transmission in the higher protocol layers,standard communication protocols such as the TCP/IP protocol may be usedin the Ethernet concept.

The Ethernet protocol divides up the data to be transmitted into datapackets, referred to as frames, the structure of which is defined in theIEEE 802.3 standard. The actual Ethernet frame is preceded by a preambleand a start bit, referred to as Start Frame Delimiter SFD. This isfollowed by the actual Ethernet data packet. The Ethernet data packetconsists of a header section, a user data block and an end section, thetrailer.

The header starts with a 6-byte field for the target address, followedby another 6-byte field with the source address. This may be followed byanother 4-byte field, referred to as VLAN tag, with additional controldata in the header which particularly contains prioritizationinformation. The header ends with a 2-byte field, referred to as typefield, which provides information on the protocol by which the data inthe user data block are to be processed.

The user data block following the header may have a length of 1500bytes, wherein larger data blocks may be permitted in different Ethernetprotocol extensions, as well. The user data block is terminated by afield of variable length, referred to as PAD field, which guarantees thespecified minimum length of the Ethernet frame.

The user data block is followed by the trailer, which has a 4-byte fieldwith a checksum. When an Ethernet frame is created, a CRC calculation isperformed over the bit sequence and the checksum is appended to the datablock. The recipient performs the same calculation upon receipt. If thereceived checksum does not match the self-calculated checksum, therecipient assumes a faulty transmission. The Ethernet frame is thendiscarded.

The use of the Ethernet standard in industrial automation allows forproviding real-time solutions. Real-time capable field-bus systems basedon the Ethernet standard are e.g. PROFINET, EtherCAT, Powerlink orSERCOS III. The field-bus protocol used in each case is displayed in thetype field in the header of the Ethernet frame.

In addition to the Ethernet standard, other field-bus protocols such asCANopen, Interbus or Profibus may also be used in automation systems.

Field-bus systems are often operated as master-slave systems. The mastersubscriber in the field-bus system is the controller that has bus accessauthorization and may output data to the field bus. The slavesubscribers in the field-bus system are the field devices, such as I/Odevices, valves, drives, sensors, transmitters, etc. They do not havebus access authorization and may only acknowledge received data andtransmit data upon request by the master subscriber.

In master-slave systems, control via a field-bus system is then usuallycarried out in such a way that the master subscriber cyclically performscontrol processes in order to generate output data for slave subscribersand/or other slave subscribers on the basis of input data from slavesubscribers.

After completion of a control process cycle, the master subscriber sendsthe output data in the form of messages on the field bus, wherein theslave subscribers take the output data assigned to the respective slavesubscriber from the messages and execute a local subscriber process withthis output data. The data determined by the local subscriber process isthen in turn transmitted from the slave subscriber to the mastersubscriber and then used as input data for the next control processcycle by the master subscriber.

For direct connection of sensors and actuators in an automation system,simplified communication protocols may be used for exchanging data inaddition to the field-bus system. One such field-bus system with asimplified communication protocol is the VO-Link system which consistsof an VO-Link master subscriber and one or a plurality of VO-Link slavesubscribers, the sensors and actuators. The VO-Link master subscriberprovides the interface to the superordinate controller and controlscommunication with the connected VO-Link field devices.

A central requirement for automation systems is secure and reliable datatransmission. To control and monitor technical processes in the contextof industrial automation, it must be ensured that errors in theautomation system are reliably detected. Therefore, additional safetymeasures are often implemented in the automation system to ensure thaterrors are detected with a high probability in order to minimize therisk of undetected errors.

The safety measures provided for risk reduction in automation systemsare described in the EN ISO 13849-1 and IEC/EN 62061 standards. Thesafety measures required for the individual subscribers depend on thesafety functions assigned to the respective subscriber. An essentialsafety measure is the redundant embodiment of the subscriber in the formof dual-channel hardware. Alternatively, single-channel hardware mayalso be used provided that the software is embodied with two channels.

A safety-certified communication protocol is still required for thetransmission of safety-relevant messages between safety-relevantsubscribers on the field bus.

Automation systems are often used in mixed operation withsafety-relevant subscribers and non-safety-relevant subscribers, withany number of unsafe field-bus devices then being located between thesafety-relevant subscribers on the field bus. The safety-certifiedcommunication protocols are usually embodied in such a way thatsafety-relevant messages may also be transmitted via a communicationchannel with unsecured properties, referred to as black channel. Thesafety protocol that corresponds to the safety level of thesafety-related automation system and detects and controls transmissionerrors on the field bus is then integrated between the safety-relatedsubscribers and the “non-safe” field bus.

Safety variants for the transmission of safety-relevant messages havebeen developed for the various field-bus protocols. For theEthernet-based EtherCAT field-bus protocol, the safety variant Safetyover EtherCAT, abbreviated FSoE, is e.g. provided. The safety derivativefor PROFINET is PROFIsafe. For the simplified I/O-Link communicationprotocol, I/O-Link-Safety, a safety extension is provided, as well.

In complex production plants, the automation systems consist ofdifferent, also heterogeneous networks, in which different communicationprotocols are used in the individual network areas, depending on themanufacturer. To enable communication between the subscribers acrossnetwork boundaries, protocol converters, also referred to as gateways inthe following, are used between the individual networks to establish theconnection between the networks.

The gateway is then a subscriber in each of the networks to be connectedand handles the cross-network data traffic. In doing so, the gatewayprocesses the forwarded messages by performing a protocol conversionbetween the networks. The gateway may add or remove protocol data asrequired.

If gateways are used in the context of a transmission of safety-relevantmessages, the gateways must fulfill the corresponding safety-relatedrequirements. In order to implement safety gateways in a cost-effectivemanner, the required dual-channel hardware or software embodiment isreduced to the core area.

The gateway then comprises an interface that enables message to beexchanged with the first network and with a second network. Asingle-channel filter is then connected to the interface device, whichdetermines messages with a first safety communication protocol andmessages with a second safety communication protocol from the messagesreceived by the interface device.

An at least dual-channel safety module in the gateway connected to thefilter converts messages with the first safety communication protocoldetermined by the filter into messages with the second safetycommunication protocol or into messages with the second safetycommunication protocol into messages by the first safety communicationprotocol.

With this embodiment, cross-network data traffic, includingsafety-relevant messages, may essentially be implemented in the gatewayas a single channel. Only the safety-relevant routines in protocolconversion are implemented as two channels. The dual-channel safetymodule may be realized by at least two parallel software functionchannels. With the gateway, a low-cost microcontroller that requirescomparatively little memory may then perform the safety-relevantprotocol conversion in two channels.

The single-channel interface may thereby comprise a single-channel firstinterface allowing for message exchange with the first networkcomprising the at least one first subscriber with the first safetycommunication layer that processes the first safety communicationprotocol, and a single-channel second interface enabling messageexchange with the second network comprising the at least secondsubscriber having the second safety communication layer that processesthe second safety communication protocol.

Furthermore, the filter may comprise a single-channel first filter todetermine messages having the first safety communication protocol frommessages received from the first interface and a single-channel secondfilter to determine messages having the second safety communicationprotocol from messages received from the second interface.

The at least dual-channel safety module is then connected to the firstand second filters to convert messages detected by the first filterusing the first safety communication protocol into messages using thesecond safety communication protocol and to convert messages detected bythe second filter using the second safety communication protocol intomessages using the first safety communication protocol, respectively. Asingle-channel operational function module is further connected to thefirst filter, the second filter and the safety module to cyclicallyaddress the first filter, the second filter and the safety module.

This embodiment allows for integrated protocol conversion, in whichprotocol conversion of both non-safety-related messages andsafety-related messages may be implemented in a single protocolconverter.

FIG. 1 schematically shows the basic structure of an automation systemwith a first network 10 and a second network 20, which areinterconnected via a gateway, also referred to as protocol converter 30in the following, which performs an integrated protocol conversion. Eachnetwork comprises at least one master subscriber forming the controllevel, and at least one slave subscriber representing thesensor/actuator level.

In each network, the master subscriber and the slave subscriber areconnected to each other via a serial bus by which the messages areexchanged between the master subscriber and the slave subscriber takesplace. The serial bus of the first network 10 is coupled to the serialbus of the second network 20 by the gateway.

The data transmission in the first network 10 and in the second network20, respectively, is organized by the master subscriber in the form ofdata packets, wherein the Ethernet field-bus protocol EtherCAT is usedin the first network 10 and the Ethernet field-bus protocol PROFINET isused in the second network 20. The first network 10 is therefore in thefollowing referred to as EtherCAT network 1 and the second network 20 isin the following referred to as PROFINET network 2. The mastersubscriber in EtherCAT network 1 is then an EtherCAT master 11 and themaster subscriber in the second PPROFINET network is a PPROFINET master21.

The gateway that performs the data exchange between the EtherCAT network1 and the PPROFINET network 2 is an EtherCAT/PPROFINET gateway 3 thatperforms a protocol conversion from the EtherCAT field-bus protocol tothe PROFINET field-bus protocol and vice versa.

The two field-bus protocols EtherCAT and PROFINET used in the first andsecond network 10, 20 are only examples. Alternatively, it is alsopossible to use another field-bus protocol based on the Ethernetstandard, but also a non-Ethernet-based field-bus protocol.

In the automation system shown in FIG. 1 , both the slave subscriber inthe EtherCAT network and the slave subscriber in the PPROFINET networkare safety-relevant. The slave subscriber in the EtherCAT network 1,which is also referred to as the first subscriber 13, operates with thesafety variant Safety over EtherCAT, abbreviated FSoE, of EtherCAT andis an FSoE safety subscriber 12. The EtherCAT master 11 of the EtherCATnetwork 1 controls the message transmission, but does not usuallyperform any independent process data processing, which is why the FSoEsafety communication protocol does not have to be implemented in theEtherCAT master 11.

The slave subscriber in the PROFINET network 1, which is also referredto as the second subscriber 23, operates with the safety variant ofPROFINET called PROFIsafe and is a PROFIsafe safety subscriber 22. ThePROFINET master 21 of PROFINET network 2 then also uses the PROFIsafesafety communication protocol.

Furthermore, both the FSoE safety communication protocol and thePROFIsafe safety communication protocol are installed on theEtherCAT/PPROFINET gateway 3 for a protocol conversion between theEtherCAT network 1 and the PROFINET network 2. The EtherCAT/PPROFINETgateway 3 therefore represents a safety gateway.

Instead of a single safety-relevant slave subscriber, as shown in FIG. 1, any number of safety-relevant slave subscribers may also be providedon the respective field bus. Furthermore, non-safety-relevantsubscribers may also be included in the individual networks in additionto safety-relevant subscribers. The control level in the networks mayalso be divided up among several master subscribers, depending on whichfield-bus protocol is used.

The exchange of messages between the EtherCAT network 1 and the PROFINETnetwork 2 in the automation system shown in FIG. 1 takes place in thefollowing manner:

-   -   The FSoE safety subscriber 12 generates an FSoE message that is        retrieved by the EtherCAT master 11 and transmitted to the        EtherCAT/PPROFINET gateway 3. In the EtherCAT/PPROFINET gateway        3, the FSoE message is converted into a PROFIsafe message. The        EtherCAT/PROFINET gateway 3 passes the PROFIsafe message on to        the PROFINET master 21, which sends the PROFIsafe message to the        PROFIsafe safety subscriber 22, which interprets the PROFIsafe        message.

In the opposite direction, the PROFIsafe safety subscriber 22 sends aPROFIsafe message to the PROFINET master 21, which transfers thePROFIsafe message to the EtherCAT/PROFIsafe gateway 3. TheEtherCAT/PPROFINET gateway 3 converts the PROFIsafe message into an FSoEmessage. The FSoE message is then retrieved by the EtherCAT master 11and transferred to the FSoE safety subscriber 21, which interprets theFSoE message.

The safety-relevant subscribers in the two networks, in the case of theillustration shown in FIG. 1 both the PROFINET master 21 and the slavesubscribers FSoE safety subscriber 12 and PROFIsafe safety subscriber22, comprise a safety communication layer for processing safety data. Inaccordance with the safety requirements, the safety communication layeris usually embodied with two channels in the form of hardware and/orsoftware.

FIG. 2 shows in detail the structure of the EtherCAT/PROFINET gateway 3,which operates as a safety gateway. The EtherCAT/PROFINET gateway 3thereby comprises a microcontroller 31 as the central unit.

For connection to the EtherCAT network 1, an EtherCAT slave controller32 is provided as a single-channel first interface 42, which allows fordata exchange using the messages on the EtherCAT field bus 1. TheEtherCAT slave controller 32 is connected to an EtherCAT memory 33,which forms the interface between the EtherCAT slave controller 32 andthe microcontroller 31 and in which the messages exchanged between theEtherCAT slave controller 32 and the EtherCAT field bus 1 are stored.

For connection to the PROFINET field bus 2, a PROFINET slave controller34 is provided as a single-channel second interface 44 that performsdata exchange with the messages on the PROFINET field bus 2. ThePROFINET slave controller 34 is connected to a PROFINET memory 35, whichforms the interface between the PROFINET slave controller 34 and themicrocontroller 31. The messages exchanged between the PROFINET slavecontroller 34 and the PROFINET field bus are stored in the PROFINETmemory 35.

On the microcontroller 31, a software module EtherCAT slave functions311 is provided, which is connected to the EtherCAT memory 33 and, amongother things, operates as a single-channel first filter 321 to determineFSoE messages from messages stored in the EtherCAT memory 33. TheEtherCAT slave functions software module 311 is further connected to anFSoE memory 312 in which the FSoE messages are stored. The FSoE memory312 in turn comprises an interface to a software module safety functions4, which forms a dual-channel safety module.

A software module PROFINET slave functions 313 is further provided onthe microcontroller 31, which is connected to the PROFINET memory 35and, among other things, operates as a single-channel second filter 323to determine PROFIsafe messages from the messages stored in the PROFINETmemory 35. The software module PROFINET slave functions 313 is furtherconnected to a PROFIsafe memory 314 in which the PROFIsafe messages arestored. The PROFIsafe memory 314 also comprises an interface to thedual-channel software module safety functions 4.

A black channel is present in the EtherCAT/PROFINET gateway 3 up to thesafety functions 4 software module. The safety module safety functions 4may then detect changes in the FSoE messages or the PROFIsafe messages.The software module safety functions 4 is further embodied to convertFSoE messages into PROFIsafe messages and PROFIsafe messages into FSoEmessages.

A single-channel operational function module 315 connected to theEtherCAT slave functions software module 311, the PROFINET slavefunctions software module 313, and the safety functions software module4 is further provided on the microcontroller 31 to cyclically addressthe EtherCAT slave functions software module 311, the PROFINET slavefunctions software module 313, and the safety functions software module4.

The EtherCAT/PROFINET gateway 3 operates as follows when converting aFSoE message into a PROFIsafe message:

-   -   The FSoE message contained in an EtherCAT data packet is        received by the EtherCAT slave controller 32 via the EtherCAT        network 1 and written to the EtherCAT memory 33. From the        EtherCAT memory 33 the FSoE message is transferred by the        single-channel software module EtherCAT slave functions 311 to        the FSoE memory 312.

The black channel in the EtherCAT/PROFINET gateway 3 extends to the FSoEmemory 312. The dual-channel safety module safety functions 4 may detectchanges to the FSoE message stored in the FSoE memory 312. Thedual-channel software module safety functions 4 converts the FSoEmessage into the PROFIsafe message and stores it in the PROFIsafe memory314.

The single-channel software module PROFINET slave functions 313 copiesthe PROFIsafe message from the PROFIsafe memory 313 to the PROFINETmemory 35. If a corresponding PROFINET data packet is received by thePROFINET slave controller 34 to read the PROFINET memory 35, thePROFIsafe message is inserted into the PROFINET data packet by thePROFINET slave controller 34.

The EtherCAT/PROFINET gateway 3 operates as follows when converting aPROFIsafe message into a FSoE message:

-   -   The PROFIsafe message contained in a PROFINET data packet is        received by the PROFINET slave controller 34 and written to the        PROFINET memory 35. From the PROFINET memory 35, the PROFIsafe        message is transferred by the single-channel software module        PROFINET slave functions 313 to the PROFIsafe memory 314.

The black channel of the EtherCAT/PROFINET gateway 3 further includesthe PROFIsafe memory 314. The dual-channel safety module safetyfunctions 4 may then detect changes to the PROFIsafe message stored inthe PROFIsafe memory 314. The dual-channel software module safetyfunctions 4 converts the PROFIsafe message into the FSoE message andstores the FSoE message in the FSoE memory 312.

The single-channel software module EtherCAT slave functions 311 copiesthe FSoE message from the FSoE memory 312 into the EtherCAT memory 33.If a corresponding EtherCAT data packet is received by the EtherCATcontroller 32 to read the EtherCAT memory 33, the FSoE message isinserted into the EtherCAT data packet by the EtherCAT controller 32.

A software module operating function module 315 ensures that thedual-channel software module safety functions 4 as well as theone-channel software module EtherCAT slave functions 311 and theone-channel software module PROFINET slave functions 313 are addressedcyclically to execute the operations described above.

The EtherCAT/PROFINET gateway 3 shown in FIG. 2 is embodied in such away that a protocol conversion of EtherCAT messages and PPROFINETmessages as well as of PROFIsafe messages and FSoE messages isimplemented. It is furthermore possible to provide separate protocolconversion of the safety-relevant messages and of thenon-safety-relevant messages instead of an integrated protocolconversion. The two functions may then be executed separately inindependent gateways instead of jointly in one gateway.

The safety gateway, which in FIG. 3 is embodied as a combined EtherCATslave subscriber and PROFINET slave subscriber, may then also be only anEtherCAT slave subscriber or a PROFINET slave subscriber. Then, only thesoftware module EtherCAT slave functions and the EtherCAT slavecontroller are provided for connection to the EtherCAT network or thesoftware module PROFINET functions and the PROFINET slave controller isprovided for connection to the PROFINET network. The software modulesafety functions is further embodied to convert FSoE messages intoPROFIsafe messages and PROFIsafe messages into FSoE messages.

The conversion from the EtherCAT data packet to the PROFINET datapacket, if the safety gateway is only embodied as an EtherCAT slavesubscriber, takes place in a downstream EtherCAT/PROFINET gateway. Sucha downstream EtherCAT/PROFINET gateway also performs the conversion fromthe PROFINET data packet to the EtherCAT data packet if the safetygateway is embodied exclusively as a PROFINET slave subscriber.

The safety gateway may basically be embodied as a subscriber of a freelyselectable communication system, since both the FSoE protocol and thePROFIsafe protocol may transmit on any communication path. In this case,the software module EtherCAT slave functions 311 or the software modulePROFINET slave functions 313 must be replaced by a correspondingsoftware module, the EtherCAT slave controller 32 or the PROFINET slavecontroller 34 must be replaced by a corresponding controller, a serialinterface or a dual-port RAM memory, and the EtherCAT network 1 or thePROFINET network 2 must be replaced by a corresponding network or acorresponding field bus, a point-to-point connection or a data bus.

FIG. 3 and FIG. 4 show a data transmission between the FSoE safetysubscriber 12 and the PROFIsafe safety subscriber 22 in the automationnetwork shown in FIG. 1 , wherein FIG. 3 shows a transmission of FSoEdata from the FSoE safety subscriber 12 to the PROFIsafe safetysubscriber 22 and FIG. 4 shows a transmission of PROFIsafe data from thePROFIsafe safety subscriber 22 to the FSoE safety subscriber 12.

Data are transmitted by Ethernet data packets, which, as describedabove, consist of a header 700, a user data block 710, and a trailer 720comprising the data packet checksum CRC.

The header 700 of the Ethernet data packets comprises the target addressDA in a target address field 120, the source address SA in a sourceaddress field 125 and the EtherType in a type field 130. In the typefield 130, the Ethernet field-bus protocol is specified by which thedata in the user data block is to be processed. For example, theEtherCAT protocol has the value 0x88A4 and the PROFINET protocol has thevalue 0x8892.

Since when using the EtherCAT protocol the Ethernet data packets aresent by the master subscriber and after processing are also receivedagain by the slave subscribers in passing, no value used for addressingis entered in the header both for the target address DA, i.e. in thetarget address field 120 and the source address SA, i.e. in the sourceaddress field 125. When using the PROFINET protocol, however, theEthernet data packets that are exchanged between the master subscriberand the slave subscribers are addressed, which is why a value is enteredin the header 700 in each case in the target address field 120 for thetarget address DA and in the source address field 130 for the sourceaddress SA.

The user data block 710 of the Ethernet data packets then comprises itsown protocol header field 140 with control data of the respectivefield-bus protocol used, i.e. either EtherCAT or PROFINET. This is thenfollowed by the actual user data area.

Since in the EtherCAT protocol the Ethernet data packets are processedby the slave subscribers in passing, each slave subscriber at the fieldbus has its own data block area in the user data area, which is part ofa datagram. This data block area is also referred to as datagram fieldin the following. As an example, FIGS. 3 and 4 show a first datagramfield 150 and a second datagram field 160. In the PROFINET protocol, onthe other hand, data in the user data area is intended for the field-bussubscriber named in the respective target address. Thus, as an example,only one user data field 155 is shown in FIGS. 3 and 4 .

The user data block is terminated by a trailer area end field 170 of therespective field-bus protocol used, i.e. either EtherCAT end or PROFINETend.

Trailer 720 then comprises the respective data packet checksum CRC in atrailer field 180.

As FIG. 3 shows, the EtherCAT master 11 sends a first EtherCAT datapacket E1 having two empty datagrams in the user data area to the twoEtherCAT slave subscribers FSoE safety subscriber 12 andEtherCAT/PROFINET gateway 3. For reasons of clarity, the correspondingfirst and/or second datagram field 150, 160 is absent for an emptydatagram. The FSoE safety subscriber 12 enters first data “FSoE messagewith FSoE data” as write data into the assigned first datagram field 150of the first EtherCAT data packet E1 when the first EtherCAT data packetE1 passes through. Since there are not yet any write data in theEtherCAT/PROFINET gateway 3, the assigned second datagram field 160 ofthe first EtherCAT data packet E1 remains empty.

The EtherCAT master 11 then receives the first EtherCAT data packet E1again and copies the first data “FSoE-message with FSoE-data”. TheEtherCAT master 11 subsequently sends a second EtherCAT data packet E2with the first data “FSoE-message with FSoE-data” as read data in thesecond datagram field 160 for the EtherCAT slave EtherCAT/PROFINETgateway 3.

The EtherCAT slave controller 32 of the EtherCAT/PROFINET gateway 3reads the first data “FSoE message with FSoE data” from the assignedsecond datagram field 160 in the second EtherCAT data packet E2 when thesecond EtherCAT data packet E2 passes through. The second datagram field160 of the second EtherCAT data packet E2 assigned to theEtherCAT/PROFINET gateway 3 is then not written into further and remainsempty, since there are still no write data in the EtherCAT/PROFINETgateway 3.

The FSoE safety subscriber 12, on the other hand, enters second data“FSoE message with FSoE data” as write data into the assigned firstdatagram field 150 of the second EtherCAT data packet E2 when the secondEtherCAT data packet E2 passes through. The second data “FSoE-messagewith FSoE-data” thereby correspond to the first data “FSoE-message withFSoE-data” as long as the FSoE-safety subscriber 12 has not yet receiveda response and the FSoE-safety subscriber 12 therefore has not yetgenerated new data in reaction to the response. The EtherCAT master 11then receives the second EtherCAT data packet E2 comprising the seconddata “FSoE message with FSoE data”.

The processing of the first data “FSoE-message with FSoE-data” in theEtherCAT/PROFINET gateway 3 shown in FIG. 2 is carried out as follows:

-   -   In the EtherCAT/PROFINET gateway 3 the single-channel software        module EtherCAT slave functions 311 copies the first data “FSoE        message with FSoE data” from the EtherCAT memory 33 of the        EtherCAT slave controller 32 to the FSoE memory 312 of the        microcontroller 31. From the FSoE memory 312, the dual-channel        software module safety functions 4 reads the first data “FSoE        message with FSoE data”, then converts the data into first data        “PROFIsafe message with FSoE data” and subsequently stores the        first data “PROFIsafe message with FSoE data” in the PROFIsafe        memory 314 of the microcontroller 31.

The single-channel software module PROFINET slave functions 313 readsthe first data “PROFIsafe message with FSoE data” from the PROFIsafememory 313 of the microcontroller 31 and stores the first data“PROFIsafe message with FSoE data” in the PROFINET memory 35.

As further shown in FIG. 3 , the PROFINET slave controller 34 sends thefirst data “PROFIsafe message with FSoE data” stored in the PROFINETmemory 35 in a user data field 155 of a first PROFINET data packet P1 tothe PROFINET master 21. In the first PROFINET data packet P1, thePROFINET master 21 is specified as the target address DA in the header700 in the target address field 120 and the EtherCAT/PROFINET gateway 3is specified as the source address SA in the source address field 125.

The PROFINET master 21 receives the first PROFINET data packet P1,copies the first data “PROFIsafe message with FSoE data” and sends asecond PROFINET data packet P2 to the PROFINET slave subscriberPROFIsafe safety subscriber 22. In the second PROFINET data packet P2,the PROFIsafe safety subscriber 22 is specified as the target address DAin the header 700 in the target address field 120 and the PROFINETmaster 21 is specified as the source address SA in the source addressfield 125. After receiving the second PROFINET data packet P2, thePROFIsafe safety subscriber 22 then reads out the first data “PROFIsafemessage with FSoE data” from the user data field 155.

In FIG. 4 , PROFIsafe data are then transmitted from the PROFIsafesafety subscriber 22 to the FSoE safety subscriber 12 in response to thereceived FSoE data. For this purpose, the PROFINET slave subscriberPROFIsafe-safety subscriber 22 sends a third PROFINET data packet P3with the first data “PROFIsafe message with PROFIsafe data” in user datafield 155 to the PROFINET master 21. In the third PROFINET data packetP3, the PROFINET master 21 is specified as the target address DA in theheader 700 in the target address field 120 and the PROFIsafe safetysubscriber 22 is specified as the source address SA in source addressfield 125.

The PROFINET master 21 receives the third PROFINET data packet P3 andcopies the data “PROFIsafe message with PROFIsafe data” into the userdata field 155 of a fourth PROFINET data packet P4. The PROFINET master21 then sends the fourth PROFINET data packet P4 to theEtherCAT/PROFINET gateway 3. In the fourth PROFINET data packet P4, theEtherCAT/PROFINET gateway 3 is specified in the header 700 as the targetaddress DA in target address field 120 and the PROFINET master 21 isspecified as the source address SA in source address field 125.

The processing of the first data “PROFIsafe message with PROFIsafe data”in the EtherCAT/PROFINET gateway 3 shown in FIG. 2 is carried out asfollows:

-   -   The PROFINET slave controller 34 of the EtherCAT/PROFINET        gateway 3 stores the first data “PROFIsafe message with        PROFIsafe data” from the fourth PROFINET data packet P4 in the        PROFINET memory 35. The single-channel software module PROFINET        slave functions 313 of the EtherCAT/PROFINET gateway 3 then        transfers the first data “PROFIsafe message with PROFIsafe data”        into the PROFIsafe memory 314 of the microcontroller 31.

The dual-channel software module safety functions 4 reads out the firstdata “PROFIsafe message with PROFIsafe data” from the PROFIsafe memory314, converts the first data “PROFIsafe message with PROFIsafe data”into first data “FSoE message with PROFIsafe data” and then stores thefirst data “FSoE message with PROFIsafe data” in the FSoE memory 312 ofthe microcontroller 31. From there, the single-channel software moduleEtherCAT slave functions 311 reads out the first data “FSoE message withPROFIsafe data” and writes the first data “FSoE message with PROFIsafedata” as write data into the EtherCAT memory 33 of the EtherCAT slavecontroller 32.

As FIG. 4 further shows, the EtherCAT master 11 sends a third EtherCATdata packet E3 to the EtherCAT slave subscribers FSoE safety subscriber12 and EtherCAT/PROFINET gateway 3. The datagram assigned to FSoE safetysubscriber 12 is empty, since no data for the FSoE safety subscriber 12is available in the EtherCAT master 11. In the datagram for theEtherCAT/PROFINET gateway 3, however, the EtherCAT master 11 has enteredthe second data “FSoE message with FSoE data” from the second EtherCATdata packet E2 as read data into the second datagram field 160. Thesecond data “FSoE-message with FSoE-data” correspond to the first data“FSoE-message with FSoE-data” as long as the FSoE-safety subscriber 12has not yet received a response and the FSoE-safety subscriber 12 hastherefore not yet generated any new data in reaction to the response.

The EtherCAT slave controller 32 of the EtherCAT/PROFINET gateway 3reads out the second data “FSoE message with FSoE data” from theassigned second datagram field 160 in the third EtherCAT data packet E3when the third EtherCAT data packet E3 passes through. Subsequently, theEtherCAT slave controller 32 of the EtherCAT/PROFINET gateway 3 thenenters the first data “FSoE message with PROFIsafe data” into theassigned second datagram field 160 of the third EtherCAT data packet E3.

The processing of the second data “FSoE-message with FSoE-data” iscarried out in the EtherCAT/PROFINET gateway 3 in the same way as forthe first data “FSoE-message with FSoE-data” to generate second data“PROFISafe-Message with FSoE-Data”, which is then intended for thePROFINET slave subscriber PROFIsafe-safety subscriber 22.

When the third EtherCAT data packet E3 passes through, the FSoE safetysubscriber 12 also enters third data “FSoE message with FSoE data” intothe assigned first datagram field 150 of the third EtherCAT data packetE3. The third data “FSoE message with FSoE data” correspond to the firstand second data “FSoE message with FSoE data”, respectively, as long asthe FSoE safety subscriber 12 has not yet received a response and theFSoE safety subscriber 12 has therefore not yet generated any new datain reaction to the response. The EtherCAT master 11 then receives thethird EtherCAT data packet E3 on the return path.

From the third EtherCAT data packet E3, the EtherCAT master 11 copiesthe first data “FSoE message with PROFIsafe data” as read data for theEtherCAT slave subscriber FSoE safety subscriber 12 into the assignedfirst datagram field 150 of a fourth EtherCAT data packet E4.Furthermore, the EtherCAT master 11 transfers the third data “FSoEmessage with FSoE data” from the third EtherCAT data packet E3 as readdata into the second datagram field 160 for the EtherCAT slavesubscriber EtherCAT/PROFINET gateway 3 in the fourth EtherCAT datapacket E4.

The EtherCAT master 11 sends the fourth EtherCAT data packet E4 to theEtherCAT slave subscriber FSoE safety subscriber 12 andEtherCAT/PROFINET gateway 3. When the fourth EtherCAT data packet E4passes through, the EtherCAT slave subscriber FSoE safety subscriber 12reads out the first data “FSoE message with PROFIsafe data” from theassigned first datagram field 150 of the fourth EtherCAT data packet E4.Subsequently, the FSoE safety subscriber 12 then enters the fourth data“FSoE message with FSoE data” into the assigned first datagram field 150of the fourth EtherCAT data packet E4. The fourth data “FSoE messagewith FSoE data” correspond to the first, second and third data “FSoEmessage with FSoE data”, respectively, as long as the FSoE safetysubscriber 12 has not yet received a response and the FSoE safetysubscriber 12 has therefore not yet generated any new data in reactionto the response.

Furthermore, the EtherCAT slave controller 32 of the EtherCAT/PROFINETgateway 3 reads out the third data “FSoE message with FSoE data” fromthe assigned second datagram field 160 in the fourth EtherCAT datapacket E4 when the fourth EtherCAT data packet E4 passes through. Theprocessing of the third data “FSoE-message with FSoE-data” is carriedout in the EtherCAT/PROFINET gateway 3 in the same way as for the firstdata “FSoE-message with FSoE-data” to generate third data“PROFISafe-message with FSoE-data” which is then destined for thePROFINET slave subscriber PROFIsafe-safety subscriber 22.

After reading out the third data “FSoE-message with FSoE-data” from theassigned second datagram field 160 in the fourth EtherCAT data packetE4, the EtherCAT slave controller 32 of the EtherCAT/PROFINET gateway 3enters second data “FSoE-message with PROFIsafe-data” into the assignedsecond datagram field 160 of the fourth EtherCAT data packet E4. TheEtherCAT/PROFINET gateway 3 has generated the second data “FSoE-messagewith PROFIsafe-data” from second data “PROFIsafe-message withPROFIsafe-data”, which was transmitted with two further PROFINET datapackets in the same way as the first data “PROFIsafe-message withPROFIsafe-data” from the PROFIsafe safety subscriber 22 via the PROFINETmaster 21 to the EtherCAT/PROFINET gateway 3.

The EtherCAT master 11 then receives the fourth EtherCAT data packet E4having the fourth data “FSoE message with FSoE data” and the second data“FSoE message with PROFIsafe data”. Data transmission between the FSoEsafety subscriber 12 and the PROFIsafe safety subscriber 22 is thencontinued in the manner explained in conjunction with FIG. 3 and FIG. 4.

FIG. 5 shows an implementation of an EtherCAT/IO-link gateway 300 anFSoE/IO-link safety protocol implementation. The components of theEtherCAT/IO-link gateway 300, which correspond to components of theEtherCAT/PROFINET gateway 3 shown in FIG. 2 , are provided with the samereference numerals and are not described again below.

The EtherCAT/IO-link gateway 300 is directly connected to an IO-linknetwork 200 with a single-channel software module IO-link masterfunctions 513 arranged on the microcontroller 31 as an interface toexchange messages with an IO-link safety slave subscriber. Thesingle-channel software module IO-link master functions 513 operates,inter alia, as a single-channel second filter 323 to determine IO-linksafety messages from messages received from the IO-link slavesubscriber.

The IO-link master functions software module 513 is further connected toan IO-link safety memory 514 in which the IO-link safety messages arestored. The IO-link safety memory 514 also has an interface to thedual-channel software module safety functions 4.

A black channel is present in the EtherCAT/IO-link gateway 300 up to thesoftware module safety functions 4. The safety functions software module4 may then detect changes to the IO-link safety messages. The safetyfunctions software module 4 is also embodied to convert FSoE messagesinto IO-link safety messages and IO-link safety messages into FSoEmessages.

The EtherCAT/IO-link gateway 300 operates as follows when converting anFSoE message into an IO-link safety message: An FSoE message in anEtherCAT data packet is written to the EtherCAT memory 33 by theEtherCAT slave controller 32, said EtherCAT memory 33 being theinterface between the EtherCAT slave controller 32 and themicrocontroller 31. From the EtherCAT memory 33, the FSoE message istransferred by the single-channel software module EtherCAT slavefunctions 311 to the FSoE memory 312, which forms the interface to thedual-channel software module safety functions 4.

The black channel extends up to the dual-channel software module safetyfunctions 4, wherein the dual-channel safety module safety functions 4detects changes to the FSoE message. The dual-channel software modulesafety functions 4 converts the FSoE message into an IO-link Safetymessage and stores the IO-link Safety message in the IO-link Safetymemory 514, which forms the interface between the dual-channel softwaremodule safety functions 4 and the single-channel software module IO-linkmaster functions 513. The single-channel software module IO-link masterfunctions 513 reads the IO-link safety message from the IO-link safetymemory 514 and then sends the IO-link safety message to the IO-linksafety slave subscriber.

Conversely, an IO-link safety message sent by the IO-link safety slavesubscriber is received by the single-channel software module IO-linkmaster functions 513 and copied to the IO-link safety memory 514, whichforms the interface to the dual-channel software module safety functions4. The black channel extends up to this point, wherein the dual-channelsafety module safety functions 4 detects changes to the IO-link safetymessage.

The dual-channel software module safety functions 4 converts the IO-linkSafety message into an FSoE message and stores the FSoE message in theFSoE memory 312, which forms the interface between the dual-channelsoftware module safety functions 4 and the single-channel softwaremodule EtherCAT slave functions 311. The single-channel software moduleEtherCAT slave functions 311 copies the FSoE message from the FSoEmemory 312 into the EtherCAT memory 33, which forms the interfacebetween EtherCAT slave controller 32 and the single-channel softwaremodule EtherCAT slave functions 311.

If an EtherCAT data packet is received by the EtherCAT slave controller32 to read the EtherCAT memory 33 of the EtherCAT/IO-link gateway 300,the FSoE message is inserted into the EtherCAT data packet from theEtherCAT slave controller 32 in passing.

The software module operational function module 315 provided on themicroprocessor 31 ensures that the dual-channel software module safetyfunctions 4, the single-channel software module IO-link Master Functions513 and the single-channel module EtherCAT slave functions 311 areaddressed cyclically.

The EtherCAT/IO-link gateway 300 is shown as an EtherCAT slavesubscriber. However, the safety gateway could also be a subscriber ofanother field-bus system, since the FSoE protocol is not restricted totransmission on the EtherCAT field bus.

FIG. 6 shows the structure of a safety gateway that performs aconversion between the FSoE protocol and a safety hardware protocol.Components that correspond to components of the EtherCAT/PROFINETgateway 3 shown in FIG. 2 are indicated by the same reference numeralsand are not described again below.

The safety gateway, further referred to as EtherCAT/hardware gateway 301is connected to a hardware 201 by means of a single-channel softwaremodule standard functions arranged on the microcontroller 31 to exchangemessages with a hardware subscriber. The interface of the standardfunctions software module 613 to the hardware 201 may e.g. be an IOport, a serial port, a data bus, or a field bus.

The single-channel software module standard functions 613 inter aliaoperates as a single-channel second filter 323 to determine safetymessages from messages received from the hardware subscriber. Thesoftware module standard functions 613 may further contain any othernon-safety related functions.

The standard functions software module 613 is further connected to asafety memory 614, in which the safety messages are stored. The safetymemory 614 also comprises an interface to the dual-channel softwaremodule safety functions 4.

A black channel extends up to the software module safety functions 4 inthe EtherCAT/hardware gateway 301. The software module safety functions4 may then detect changes to the safety messages. The software modulesafety functions 4 is embodied to convert FSoE messages into safetymessages and safety messages into FSoE messages.

It is possible for the safety functions software module 4 to alsocomprise a hardware interface. It may also be provided that the safetyfunctions 4 software module to execute any software functions. Thesoftware functions may e.g. also be configurable, similar to a safetylogic. The software module safety functions 4 may then process data thatare received or sent via the hardware interface, from the other softwaremodules in the gateway or via the FSoE message. Such an embodiment ofthe software module safety functions 4 is also possible for the gatewaysshown in FIG. 2 and FIG. 5 .

When converting an FSoE message into a safety message, theEtherCAT/hardware gateway 301 operates as follows: An FSoE message in anEtherCAT data packet is to the EtherCAT memory 33 written by theEtherCAT slave controller 32, said EtherCAT memory being the interfacebetween the EtherCAT slave controller 32 and the microcontroller 31.From the EtherCAT memory 33, the FSoE message is transferred by thesingle-channel software module EtherCAT slave functions 311 to the FSoEmemory 312, which forms the interface to the dual-channel softwaremodule safety functions 4.

The black channel extends up to the dual-channel software module safetyfunctions 4, the dual-channel safety module safety functions 4 detectingchanges to the FSoE message. The dual-channel software module safetyfunctions 4 converts the FSoE message into a safety message and storesthe safety message in the safety memory 614, which forms the interfacebetween the dual-channel software module safety functions 4 and thesingle-channel software module standard functions 613. Thesingle-channel software module standard functions 613 reads out thesafety message from the safety memory 614 and then sends the safetymessage to the hardware station.

Conversely, a safety message sent by the hardware station is received bythe single-channel software module standard functions 613 and copied tothe safety memory 614, which forms the interface to the dual-channelsoftware module safety functions 4. The black channel extends up to thispoint, the dual-channel safety module safety functions 4 detectingchanges to the safety message.

The dual-channel software module safety functions 4 converts the safetymessage into an FSoE message and stores the FSoE message in the FSoEmemory 312, which forms the interface between the dual-channel softwaremodule safety functions 4 and the single-channel software moduleEtherCAT slave functions 311. The single-channel software moduleEtherCAT slave functions 311 copies the FSoE message from the FSoEmemory 312 into the EtherCAT memory 33, which forms the interfacebetween EtherCAT slave controller 32 and the single-channel softwaremodule EtherCAT slave functions 311.

When an EtherCAT data packet is received by the EtherCAT slavecontroller 32 to read the EtherCAT memory 33 of the EtherCAT/hardwaregateway 301, the FSoE message is inserted into the EtherCAT data packetby the EtherCAT slave controller 32 on the fly.

The software module operational function module 315 provided on themicroprocessor 31 ensures that the dual-channel software module safetyfunctions 4, the single-channel software module standard functions 613and the single-channel module EtherCAT slave functions 311 are addressedcyclically.

The EtherCAT/hardware gateway 301 is shown as EtherCAT slave subscriber.However, the safety gateway could also be a subscriber of anotherfield-bus system, since the FSoE protocol is not restricted totransmission on the EtherCAT field bus.

This invention has been described with respect to exemplary embodiments.It is understood that changes can be made and equivalents can besubstituted to adapt these disclosures to different materials andsituations, while remaining with the scope of the invention. Theinvention is thus not limited to the particular examples that aredisclosed, but encompasses all the embodiments that fall within thescope of the claims.

What is claimed is:
 1. A protocol converter for convertingsafety-relevant messages between a first network and a second network,wherein the first and second networks use different network protocolsfor message exchange, wherein the first network comprises at least onefirst subscriber having a first safety communication layer whichprocesses a first safety communication protocol, and wherein the secondnetwork comprises at least one second subscriber having a second safetycommunication layer which processes a second safety communicationprotocol; the protocol converter comprising a single-channel interfacewhich allowing for message exchange with the first network and/or withthe second network, a single-channel filter connected to the interfacefor determining messages with the first safety communication protocoland messages with the second safety communication protocol from messagesreceived by the interface, and an at least dual-channel safety moduleconnected to the single-channel filter for converting messages with thefirst safety communication protocol detected by the filter into messageswith the second safety communication protocol and for convertingmessages with the second safety communication protocol detected by thesingle-channel filter into messages with the first safety communicationprotocol, respectively.
 2. The protocol converter according to claim 1,wherein the safety module comprises at least two parallel softwarefunction channels.
 3. The protocol converter according to claim 1,wherein said single-channel interface comprises a single-channel firstinterface allowing for message exchange with said first networkcomprising said at least one first subscriber with said first safetycommunication layer processing said first safety communication protocol,and a single-channel second interface enabling message exchange withsaid second network comprising said at least one second subscriber withsaid second safety communication layer processing said second safetycommunication protocol, wherein said single-channel filter comprises asingle-channel first filter to determine messages with said first safetycommunication protocol from messages received from said first interface,and a single-channel second filter to determine messages with saidsecond safety communication protocol from messages received from saidsecond interface, and wherein the at least dual-channel safety module isconnected to the single-channel first and second filters to convertmessages with the first safety communication protocol detected by thesingle-channel first filter into messages with the second safetycommunication protocol and to convert messages with the second safetycommunication protocol detected by the single-channel second filter intomessages with the first safety communication protocol, respectively. 4.The protocol converter according to claim 3, wherein the first and/orsecond interface comprises a bus controller for a field bus, a serialinterface for a point-to-point connection or a dual-port RAM memory fora data bus.
 5. The protocol converter according to claim 3, wherein thefirst and/or second filter comprises further non-safety-relevantfunctions.
 6. The protocol converter according to claim 1, wherein thesafety module comprises further safety-relevant functions.
 7. Theprotocol converter according to claim 1, comprising a single channeloperational function module connected to the single-channel filter andthe safety module in order to cyclically invoke the single-channelfilter and the safety module.
 8. An automation system comprising a firstnetwork and a second network using different network protocols, whereinthe first network comprises at least one first subscriber having a firstsafety communication layer processing a first safety communicationprotocol, wherein the second network comprises at least one secondsubscriber having a second safety communication layer processing asecond safety communication protocol, and wherein between the firstnetwork and the second network a protocol converter for convertingsafety-relevant messages between a first network and a second network isprovided; the protocol converter comprising: a single-channel interfacewhich allowing for message exchange with the first network and/or withthe second network, a single-channel filter connected to the interfacefor determining messages with the first safety communication protocoland messages with the second safety communication protocol from messagesreceived by the interface device, and an at least dual-channel safetymodule connected to the single-channel filter for converting messageswith the first safety communication protocol detected by the filter intomessages with the second safety communication protocol and forconverting messages with the second safety communication protocoldetected by the single-channel filter into messages with the firstsafety communication protocol, respectively.
 9. The automation systemaccording to claim 8, wherein the safety module comprises at least twoparallel software function channels.
 10. The automation system accordingto claim 8, wherein said single-channel interface comprises asingle-channel first interface allowing for message exchange with saidfirst network comprising said at least one first subscriber with saidfirst safety communication layer processing said first safetycommunication protocol, and a single-channel second interface enablingmessage exchange with said second network comprising said at least onesecond subscriber with said second safety communication layer processingsaid second safety communication protocol, wherein said single-channelfilter comprises a single-channel first filter to determine messageswith said first safety communication protocol from messages receivedfrom said single-channel first interface, and a single-channel secondfilter to determine messages with said second safety communicationprotocol from messages received from said second interface, and whereinthe at least dual-channel safety module is connected to thesingle-channel first and second filters to convert messages with thefirst safety communication protocol detected by the single-channel firstfilter into messages with the second safety communication protocol andto convert messages with the second safety communication protocoldetected by the single-channel second filter into messages with thefirst safety communication protocol, respectively.
 11. The automationsystem according to claim 10, wherein the first and/or second interfacecomprises a bus controller for a field bus, a serial interface for apoint-to-point connection or a dual-port RAM memory for a data bus. 12.The automation system according to claim 10, wherein the single-channelfirst and/or second filter comprises further non-safety-relevantfunctions.
 13. The automation system according to claim 8, wherein thesafety module comprises further safety-relevant functions.
 14. Theautomation system according to claim 8, comprising a single channeloperational function module connected to the single-channel filter andthe safety module in order to cyclically invoke the filter and thesafety module.
 15. A protocol converter for converting safety-relatedmessages between a first network and a second network, comprising: asingle-channel interface that allows for message exchange with anetwork, a single-channel filter connected to the interface determinesmessages having a first safety communication protocol and messageshaving a second safety communication protocol from messages received bythe interface device, and a dual-channel safety module connected to thesingle-channel filter and converting the messages with the first safetycommunication protocol determined by the single-channel filter intomessages with a second safety communication protocol, and converting themessages with the second safety communication protocol determined by thesingle-channel filter into messages with the first safety communicationprotocol.
 16. The protocol converter according to claim 15, wherein thesafety module comprises at least two parallel software functionchannels.
 17. The protocol converter according to claim 1, wherein saidsingle-channel interface comprises a single-channel first interfaceallowing for message exchange with a first network comprising at leastone first subscriber with a first safety communication layer processingsaid first safety communication protocol, and a single-channel secondinterface enabling message exchange with a second network comprising atleast one second subscriber with a second safety communication layerprocessing said second safety communication protocol, wherein saidsingle-channel filter comprises a single-channel first filter todetermine messages with said first safety communication protocol frommessages received from said first interface, and a single-channel secondfilter to determine messages with said second safety communicationprotocol from messages received from said second interface, and whereinthe at least dual-channel safety module is connected to thesingle-channel first and second filters to convert messages with thefirst safety communication protocol detected by the single-channel firstfilter into messages with the second safety communication protocol andto convert messages with the second safety communication protocoldetected by the single-channel second filter into messages with thefirst safety communication protocol, respectively.
 18. The protocolconverter according to claim 17, wherein the safety module comprisesfurther safety-relevant functions.
 19. The protocol converter accordingto claim 17, comprising a single channel operational function moduleconnected to the single-channel filter and the safety module in order tocyclically invoke the filter and the safety module.